From ef2b8b9470827d97c8bf3fe0f91ccf1abdd8c9fc Mon Sep 17 00:00:00 2001
From: Michael Tibben <michael.tibben@99designs.com>
Date: Thu, 9 Mar 2023 21:43:35 +1100
Subject: [PATCH] Elevate stored credentials above source_profile

---
 vault/credentialkeyring.go | 14 +-------------
 vault/vault.go             | 24 ++++++++++++------------
 2 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/vault/credentialkeyring.go b/vault/credentialkeyring.go
index 0feb0a20a..d57ee6fcc 100644
--- a/vault/credentialkeyring.go
+++ b/vault/credentialkeyring.go
@@ -18,25 +18,13 @@ func (ck *CredentialKeyring) Keys() (credentialsNames []string, err error) {
 		return credentialsNames, err
 	}
 	for _, keyName := range allKeys {
-		if IsStoredCredential(keyName) {
+		if !IsSessionKey(keyName) && !IsOIDCTokenKey(keyName) {
 			credentialsNames = append(credentialsNames, keyName)
 		}
 	}
 	return credentialsNames, nil
 }
 
-func IsStoredCredential(keyName string) bool {
-	return !IsSessionKey(keyName) && !IsOIDCTokenKey(keyName)
-}
-
-func (ck *CredentialKeyring) HasStoredCredential(credentialsName string) bool {
-	_, err := ck.Has(credentialsName)
-	if err == nil {
-		return IsStoredCredential(credentialsName)
-	}
-	return false
-}
-
 func (ck *CredentialKeyring) Has(credentialsName string) (bool, error) {
 	allKeys, err := ck.Keyring.Keys()
 	if err != nil {
diff --git a/vault/vault.go b/vault/vault.go
index c6f4e7831..5480dad25 100644
--- a/vault/vault.go
+++ b/vault/vault.go
@@ -237,27 +237,27 @@ type tempCredsCreator struct {
 	chainedMfa string
 }
 
-func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsProvider aws.CredentialsProvider, err error) {
+func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig, hasStoredCredentials bool) (sourcecredsProvider aws.CredentialsProvider, err error) {
+	if hasStoredCredentials {
+		log.Printf("profile %s: using stored credentials", config.ProfileName)
+		return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
+	}
+
 	if config.HasSourceProfile() {
 		log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
 		return t.GetProviderForProfile(config.SourceProfile)
 	}
 
+	return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
+}
+
+func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
 	hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
 	if err != nil {
 		return nil, err
 	}
 
-	if hasStoredCredentials {
-		log.Printf("profile %s: using stored credentials", config.ProfileName)
-		return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
-	}
-
-	return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
-}
-
-func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
-	if !t.Keyring.HasStoredCredential(config.ProfileName) {
+	if !hasStoredCredentials {
 		if config.HasSSOStartURL() {
 			log.Printf("profile %s: using SSO role credentials", config.ProfileName)
 			return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
@@ -274,7 +274,7 @@ func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.Cre
 		}
 	}
 
-	sourcecredsProvider, err := t.getSourceCreds(config)
+	sourcecredsProvider, err := t.getSourceCreds(config, hasStoredCredentials)
 	if err != nil {
 		return nil, err
 	}